mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-09-22 16:47:14 +00:00
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has an id N.M, a desc property describing the test, and the result. Some tests include additional information about the test e.g. "No TLS Certificate Found". That can be found in an optional details property of the test object. Also, some tests might also return a list of containers, images, users, etc. This is included in an optional items property of the test object. Instead of having all test results as top-level objects, break the test results into sections. Each section has an id + description e.g. "1" and "Host Configuration". The tests for that section are an array below that object. All of the additional json output is implemented by adding new functions startsectionjson(), endsectionjson(), starttestjson(), and resulttestjson() that take the id/desc/etc as arguments and print the proper json properties. It also required adding an "end" test to each script that calls endsectionjson(). Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
parent
bbf43c88e1
commit
ec7d8ce690
11 changed files with 1006 additions and 427 deletions
|
|
@ -2,71 +2,91 @@
|
|||
|
||||
check_7() {
|
||||
logit "\n"
|
||||
info "7 - Docker Swarm Configuration"
|
||||
id_7="7"
|
||||
desc_7="Docker Swarm Configuration"
|
||||
check_7="$id_7 - $desc_7"
|
||||
info "$check_7"
|
||||
startsectionjson "$id_7" "$desc_7"
|
||||
}
|
||||
|
||||
# 7.1
|
||||
check_7_1() {
|
||||
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
|
||||
id_7_1="7.1"
|
||||
desc_7_1="Ensure swarm mode is not Enabled, if not needed"
|
||||
check_7_1="$id_7_1 - $desc_7_1"
|
||||
starttestjson "$id_7_1" "$desc_7_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
|
||||
pass "$check_7_1"
|
||||
logjson "7.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_7_1"
|
||||
logjson "7.1" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.2
|
||||
check_7_2() {
|
||||
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
|
||||
id_7_2="7.2"
|
||||
desc_7_2="Ensure the minimum number of manager nodes have been created in a swarm"
|
||||
check_7_2="$id_7_2 - $desc_7_2"
|
||||
starttestjson "$id_7_2" "$desc_7_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
managernodes=$(docker node ls | grep -c "Leader")
|
||||
if [ "$managernodes" -le 1 ]; then
|
||||
pass "$check_7_2"
|
||||
logjson "7.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_7_2"
|
||||
logjson "7.2" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_2 (Swarm mode not enabled)"
|
||||
logjson "7.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.3
|
||||
check_7_3() {
|
||||
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
|
||||
id_7_3="7.3"
|
||||
desc_7_3="Ensure swarm services are binded to a specific host interface"
|
||||
check_7_3="$id_7_3 - $desc_7_3"
|
||||
starttestjson "$id_7_3" "$desc_7_3"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
|
||||
if [ $? -eq 1 ]; then
|
||||
pass "$check_7_3"
|
||||
logjson "7.3" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_7_3"
|
||||
logjson "7.3" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_3 (Swarm mode not enabled)"
|
||||
logjson "7.3" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.4
|
||||
check_7_4(){
|
||||
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
|
||||
id_7_4="7.4"
|
||||
desc_7_4="Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
|
||||
check_7_4="$id_7_4 - $desc_7_4"
|
||||
starttestjson "$id_7_4" "$desc_7_4"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker network ls --filter driver=overlay --quiet | \
|
||||
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
|
||||
|
|
@ -77,120 +97,148 @@ check_7_4(){
|
|||
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
|
||||
grep -v 'encrypted:' 2>/dev/null 1>&2; then
|
||||
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
||||
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
||||
resulttestjson "WARN" "Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
||||
fi
|
||||
done
|
||||
else
|
||||
pass "$check_7_4"
|
||||
logjson "7.4" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.5
|
||||
check_7_5() {
|
||||
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
|
||||
id_7_5="7.5"
|
||||
desc_7_5="Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
|
||||
check_7_5="$id_7_5 - $desc_7_5"
|
||||
starttestjson "$id_7_5" "$desc_7_5"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
|
||||
pass "$check_7_5"
|
||||
logjson "7.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
info "$check_7_5"
|
||||
logjson "7.5" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_5 (Swarm mode not enabled)"
|
||||
logjson "7.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.6
|
||||
check_7_6() {
|
||||
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
|
||||
id_7_6="7.6"
|
||||
desc_7_6="Ensure swarm manager is run in auto-lock mode"
|
||||
check_7_6="$id_7_6 - $desc_7_6"
|
||||
starttestjson "$id_7_6" "$desc_7_6"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
|
||||
warn "$check_7_6"
|
||||
logjson "7.6" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_7_6"
|
||||
logjson "7.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_6 (Swarm mode not enabled)"
|
||||
logjson "7.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.7
|
||||
check_7_7() {
|
||||
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
|
||||
id_7_7="7.7"
|
||||
desc_7_7="Ensure swarm manager auto-lock key is rotated periodically"
|
||||
check_7_7="$id_7_7 - $desc_7_7"
|
||||
starttestjson "$id_7_7" "$desc_7_7"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
note "$check_7_7"
|
||||
logjson "7.7" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_7_7 (Swarm mode not enabled)"
|
||||
logjson "7.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.8
|
||||
check_7_8() {
|
||||
check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
|
||||
id_7_8="7.8"
|
||||
desc_7_8="Ensure node certificates are rotated as appropriate"
|
||||
check_7_8="$id_7_8 - $desc_7_8"
|
||||
starttestjson "$id_7_8" "$desc_7_8"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
|
||||
pass "$check_7_8"
|
||||
logjson "7.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
info "$check_7_8"
|
||||
logjson "7.8" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_8 (Swarm mode not enabled)"
|
||||
logjson "7.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.9
|
||||
check_7_9() {
|
||||
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
|
||||
id_7_9="7.9"
|
||||
desc_7_9="Ensure CA certificates are rotated as appropriate"
|
||||
check_7_9="$id_7_9 - $desc_7_9"
|
||||
starttestjson "$id_7_9" "$desc_7_9"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
info "$check_7_9"
|
||||
logjson "7.9" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_7_9 (Swarm mode not enabled)"
|
||||
logjson "7.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.10
|
||||
check_7_10() {
|
||||
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
|
||||
id_7_10="7.10"
|
||||
desc_7_10="Ensure management plane traffic has been separated from data plane traffic"
|
||||
check_7_10="$id_7_10 - $desc_7_10"
|
||||
starttestjson "$id_7_10" "$desc_7_10"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
info "$check_7_10"
|
||||
logjson "7.10" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_7_10 (Swarm mode not enabled)"
|
||||
logjson "7.10" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
check_7_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue